From afaf31c3a25cde38e51283c090a94bb1709780b8 Mon Sep 17 00:00:00 2001
From: FusionPBX <mark@fusionpbx.com>
Date: Fri, 20 Dec 2024 11:07:05 -0700
Subject: [PATCH] Sanitize the caller ID name and number

---
 app/xml_cdr/resources/classes/xml_cdr.php | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/app/xml_cdr/resources/classes/xml_cdr.php b/app/xml_cdr/resources/classes/xml_cdr.php
index 8a5e20bb98..6980a5d534 100644
--- a/app/xml_cdr/resources/classes/xml_cdr.php
+++ b/app/xml_cdr/resources/classes/xml_cdr.php
@@ -614,6 +614,10 @@ if (!class_exists('xml_cdr')) {
 						$domain_name = urldecode($xml->variables->domain_name);
 						$domain_uuid = urldecode($xml->variables->domain_uuid);
 
+					//sanitize the caller ID
+						$caller_id_name = preg_replace('#[^a-zA-Z 0-9\-\.]#', '', $caller_id_name);
+						$caller_id_number = preg_replace('#[^0-9\-]#', '', $caller_id_number);
+
 					//misc
 						$this->array[$key][0]['ring_group_uuid'] = urldecode($xml->variables->ring_group_uuid);
 						$this->array[$key][0]['xml_cdr_uuid'] = $uuid;
@@ -1729,7 +1733,7 @@ if (!class_exists('xml_cdr')) {
 				$sql .= "filter ( \n";
 				$sql .= " where c.extension_uuid = e.extension_uuid \n";
 				$sql .= " and status = 'answered' \n";
-			 	if (!$this->include_internal) {
+				if (!$this->include_internal) {
 					$sql .= "and (direction = 'inbound' or direction = 'outbound') \n";
 				}
 				$sql .= ") \n";
@@ -1741,7 +1745,7 @@ if (!class_exists('xml_cdr')) {
 				$sql .= " where c.extension_uuid = e.extension_uuid \n";
 				$sql .= " and status = 'missed' \n";
 				$sql .= " and (cc_side is null or cc_side != 'agent') \n";
-			 	if (!$this->include_internal) {
+				if (!$this->include_internal) {
 					$sql .= "and (direction = 'inbound' or direction = 'outbound') \n";
 				}
 				$sql .= ") \n";
@@ -1752,7 +1756,7 @@ if (!class_exists('xml_cdr')) {
 				$sql .= "filter ( \n";
 				$sql .= " where c.extension_uuid = e.extension_uuid \n";
 				$sql .= " and status = 'voicemail' \n";
-			 	if (!$this->include_internal) {
+				if (!$this->include_internal) {
 					$sql .= "and (direction = 'inbound' or direction = 'outbound') \n";
 				}
 				$sql .= ") \n";
@@ -2252,5 +2256,3 @@ if (!class_exists('xml_cdr')) {
 
 	} //class
 }
-
-?>